LUSID’s role-based access management system (RBAC) is designed to give you precise control over who can do what in your LUSID domain. It consists of two separate but interrelated systems:
- The identity management system controls how users authenticate (that is, sign in) to LUSID
- The access control system controls which LUSID datasets and features users are permitted to access once authenticated.
Your ability to administer these systems is subject to access control permissions itself, but assuming you have sufficient privileges you can use the Identity and Access menu in the LUSID web app:
Alternatively, you can interact with these systems programmatically using a variety of API and SDK resources.
Explanation: Understand the big picture
- Understanding how LUSID’s identity management and access control systems work
- RBAC vs UBAC: Setting up user-based access control for LUSID
Tutorials: Get started by doing something tangible
- Onboarding users into LUSID
- Setting up basic access control for different users
- Authorising an application or service to call the LUSID API
- Controlling access to properties (coming soon)
- Troubleshooting a failed access request
Reference: Understand concepts and implications
- What are a personal user and a service user?
- What is a role?
- What are a policy and a policy collection?
- When do changes to a user's permissions take effect?
- What are an API access token and a client secret?
- What is a personal access token?
- What default roles and policies are provided with LUSID?
- What API and SDK resources are available for IAM?
How-to guides: Get something done
- How do I set up a personal user account?
- How do I set up MFA?
- How do I reset my password if I've forgotten it?
- How do I change passwords or MFA settings, or revoke access?
- How do I use SSO in conjunction with LUSID?
- How do I set up a service user account?
- How do I generate and reveal a client secret?
- How do I obtain and use a short-lived API access token from Okta?
- How do I create or revoke a long-lived personal access token?
- How do I decode an API access token? (coming soon)
- How do I use an API access token with the SDKs?
- How do I create a role?
- How do I create a feature policy?
- How do I create a data policy?
- How do I create a data policy to control access to properties?
- How do I create a policy from a JSON document?
- How do I specify an expiry date or a rolling validity date for a policy?
- How do I create a policy collection?
- How do I assign policies, roles and users to each other using the API?